Recently Ryan McEndarfer, Editor-In-Chief at PaymentsJournal had the pleasure of speaking with Kenneth Montgomery, First Vice President & Chief Operating Officer at the Federal Reserve Bank of Boston about fraud. During the conversation, they talked about the new workgroup that the Federal Reserve is putting together to take a deeper look at fraud definitions as the industry looks to better manage the constant threat of payments fraud.
So again, thank you for joining me on today’s episode. Now, the Federal Reserve recently announced that it’s going to lead a group on fraud definitions. I’m curious if you can give us a little bit more detail about this work group and also if we could dive into a little bit more of why [there’s] the focus on ACH, wire and check fraud definitions.
Sure. We formed the fraud definitions work group to enhance understanding of ACH, wire and check fraud causes and trends by developing a set of consistent fraud definitions and a payments fraud classification model. The group will also develop a recommended industry road map for adoption of the taxonomy that we’ll develop. This is a Fed-led industry effort and the product at the end of our work will be one that will be owned and maintained by the Federal Reserve System.
We have identified 23 Fed and payments industry leaders and subject matter experts from a wide range of payments sectors to participate on this work group, and we expect that we’ll get our work completed sometime by the end of the year. We’re really shooting for a 9 to 12 month completion for the program efforts.
We’re focusing on ACH, wire and check fraud because there are typically more details reported on types of card fraud than are reported on ACH, wire or check [fraud]. As a result, the industry has limited capacity to identify and predict non-card payment fraud trends on a timely basis. ACH, wire and check payments are also exposed to new and rapidly evolving origination endpoint risks where security is more challenging to control. And then furthermore, as an operator of ACH, wire and check, the Fed is well positioned to help the industry to better understand fraud in this area. Our work group is intended to complement existing industry efforts and build upon the private sector’s progress by bringing together payment industry leaders with specific expertise.
I like to always note, however, that our recommended payments fraud classification model is not intended to lead to reporting mandates or regulations, but help the industry move forward in identifying fraud causes and trends.
Now as we talk about the work group here, could you give us a little bit of a background of which industry sectors are represented in this work group and how were those members chosen?
So we think we really have all sectors covered here and that we’ve got the processors and service providers, payment network operators, financial institutions of all sizes–small, medium and large–merchants, consumers, businesses and other end users, and then we also have representation from the Federal Reserve System.
In regards to how members were chosen, industry stakeholders who wanted to be considered for the work group submitted an expression of interest form that included their expertise in fraud and relevant experience related to ACH, wire and check. We received over 140 expressions of interest, so it gave us a real opportunity to select people from across the broad components of the industry I mentioned earlier, and people who really understand the mechanics associated with some of the fraud reporting we’re interested in. We also appointed some members to the work group from NACHA and the Clearing House, given their role in these payment types. And as I noted earlier, Fed representatives include those from our wholesale payments office and our retail payments office, to likewise provide that operator’s perspective as well.
Great and now as I understand it, the work group has held its first in-person meeting. From that meeting, do you get the sense of how broad or narrow these fraud definitions are going to be?
Well, I think it’s a little too early to say definitively, but the group is rallied around the idea of an expandable constructor, or a hierarchy, to organize the definitions within the fraud classification model. We envision the higher levels of this model will be broad and include all payment fraud scenarios, while the lower levels are likely to be more specific, enabling us to understand how the fraud occurred and better identify fraud trends. There was also a strong emphasis from the group, however the definitions unfold, that it should be clear, understandable and applicable to the real world.
Right. Now as we know, fraud is an ever-evolving problem. Do you think that payment fraud will continue to fit into the major categories or taxonomies that we have as it evolves and twists, or do you expect that new categories are going to be required over time as fraud really is kind of expected to innovate as well?
I think that’s a good question. We know that fraud evolves as fraudsters identify new areas that are vulnerable and lucrative to the fraudsters. That’s one reason the work group adopted the expandable fraud classification model I mentioned earlier. More specifically, over time, we expect to see new fraud vectors or pathways. You know, as we look backward, we see that that has occurred over the last number of years. And so, as we look at these new opportunities for fraudsters to attack the payment system, our work group intends to build in flexibility so the model can evolve to include those new vectors without a complete overhaul of the product we developed.
Flexibility, we think, will also encourage adoption. Our work group will recommend how to best use this fraud classification model, and to what extent the industry can adopt the model. Industry input and validation throughout this effort is critical. We’re committed to remaining transparent about our work and to leverage the industry’s expertise as we explore adoption possibilities. The Fraud Definitions Community Interest Work Group will receive regular updates and opportunities to provide feedback on work group deliverables. Anyone who is interested can sign up and watch this on the fedpaymentsimprovement.org website.
Our ultimate goal is to help mitigate and even prevent fraud. To do this, we must first better understand how fraud is perpetrated. And likewise, broader adoption of consistent fraud definitions and classifications will improve industry collaboration and fraud intelligence.
So often, how payment fraud was perpetuated is unknown until well after the loss is discovered– friendly fraud obviously being one example of this. So how might a fraud classification methodology compensate for this problem?
Inconsistent classification reporting of payments fraud data makes it difficult to aggregate information across the industry. Sometimes, in-depth data mining or synthesis is really required to begin identifying trends. The fraud classification model will be designed to provide a consistent way to look at fraudulent transactions, fostering the ability to more quickly understand and react to trends. As the adoption of this model matures, the work group predicts this model could actually help identify trends more proactively, which would help prevent fraud. So one of the things we really want to make sure is that we’re seeing trends, and this way, we perhaps can get ahead of where the next fraud is going to occur.
Right. Now another problem is that fraud is often double-counted. Do you expect your methodology to account for this?
Yes, and I’ll say the work group quickly identified this problem. When talking about design considerations for the model, the group noted the data must be accounted for only once, which will also provide flexibility to view or synthesize the data in multiple ways.
Great. Now if I could, I would like to turn the conversation to another Federal Reserve payments security initiative. I understand that the Fed has started to look into synthetic identity payments fraud, and that’s where fake identities are used to defraud financial institutions and other payments stakeholders. So why has the Fed identified this as a major payments security initiative for 2019?
Many industry stakeholders have told us synthetic identity payments fraud is a major concern for their organizations. This type of fraud has been rising due to large-scale data breaches that put personal information at risk. The shift to remote payment channels, particularly for account openings, as well as gaps in fraud detection methodologies, certainly contribute this to being a major concern. In many cases, the longer-term nature of fraud–for example, if a child’s Social Security number is used to create the synthetic ID–[means that it] could be years before the fraud is discovered.
As the Federal Reserve, our focus is on payments fraud, although synthetic identity fraud affects other areas as well, such as healthcare and federal benefit payments. Our synthetic identity payments fraud initiative focuses on awareness, research and industry dialogue to increase awareness of the importance of mitigating this type of fraud. Focus areas include definitions, causes and contributing factors, detection, controls, and mitigation approaches and best practices.
We kicked off our awareness effort in April by publishing an overview article and holding a webinar to raise awareness of synthetic identity payments fraud and how it’s perpetrated. We’re seeing strong interest in this topic, with more than 300 participants on the live webinar and another hundred or more who listened to the recording in the two weeks since then. So we’re going to continue our awareness efforts with a series of white papers and subsequent webinars starting this summer. You can find this information and more on our fedpaymentsimprovement.org website.
One of the things we also want to understand here, and that is: what is the overall scope of this particular issue, in terms of a dollar [amount] as well as the frequency of it occurring? Particularly as we look at its tie-back to some other areas related to data breaches and exposure of personal information.
Great. No, certainly, thank you for that. Now if we could, I’d like to take a little bit deeper dive here and I think you touched upon it a little bit. What specifically is the Federal Reserve looking at when talking about synthetic identity fraud?
So, as part of our research, we’ve spoken with subject matter experts across the payments ecosystem, and we’ve learned a lot so far. There are two key themes that we’re exploring further.
First, there is no single definition of synthetic identity fraud. Organizations define synthetic identity fraud differently, so we need to align as an industry on the definition. This has a close tie to our fraud definitions effort, by the way. We have to be speaking the same language as an industry in order to have a productive conversation.
Second, as an industry, we need to improve our understanding of this type of fraud. It’s difficult to identify fraud involving synthetic identities due to various factors. One is, it’s hard to differentiate it from traditional identity theft with current detection tools. Likewise, it’s oftentimes written off as bad debt because it looks like a legitimate account that’s defaulted. And the fraudsters are becoming much more sophisticated about hiding their tracks. Anecdotally, we’ve heard scenarios that point to where they may hire someone to come to the bank with a fraudulent driver’s license to prove the reality of their synthetic identity.
The increasing number of data breaches have contributed to the increase in payment fraud. Now, how do you think about the long-term approach the Federal Reserve and the industry could take to address this aspect of payments fraud?
So there are many factors contributing to data breaches and not all data breaches result in fraud. Our focus is how stolen personal information can be used to create synthetic IDs for payments fraud, in particular. Better understanding and calling further attention to the issue can foster dialogue and action within the industry and individual organizations.
When we look at cybersecurity issues, the United States has made significant progress because we collectively recognize it’s us against the fraudsters. So, we’d like to see a similar level of dialogue and collaboration against synthetic ID fraudsters, as well. In fact, dialogue and collaboration with the industry continue to be a top priority for the Federal Reserve as we focus on addressing areas of common concern and interest, and opportunities for improvement in our leader/catalyst role in the payments system.
So, we value the interest and partnership of others in the payments ecosystem, and we always encourage them to learn more and obtain updates on this and other work by joining our FedPayments Improvement Community. I’ll likewise point out that, as we are engaging the industry both in our fraud definitions work and our work regarding synthetic identities, the feedback we have been receiving has been very positive and encouraging the Fed to continue to play a role here, and a recognition by industry participants that these two specific areas are ones that require the attention we’re trying to bring to them.
Excellent. Well, that sounds fantastic. Ken, thank you so much for taking the time today for speaking to us about fraud and the work group and we hope to have you back on the podcast real soon.
Thanks for the opportunity.